Skip to content

Add support to authenticate using GitHub App installation #456

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Add support to authenticate using GitHub App installation #456

wants to merge 2 commits into from

Conversation

jcantosz
Copy link

@jcantosz jcantosz commented Apr 9, 2025

Porting the work of @scottluskcis from migration audit: timrogers/gh-migration-audit#257, timrogers/gh-migration-audit#264

Summary

This PR adds in support for authentication using a GitHub App installation and also the use of the createAppAuth authStrategy that is part of auth-app.js. Specifically, new options have been added that allow specifying an app-id, private-key, and app-installation-id as option to the audit-all, audit-repos, and audit-repo commands. This will create an octokit instance that is authenticated as an installation, with automated installation token refresh as noted in Usage with Octokit.

This was necessary to take advantage of octokit automated installation token refresh. When running gh-migration-audit with a command like audit-all and it took longer than an hour the token would expire. Using an authStrategy of createAppAuth allows for the automatic token refresh and successful completion of the command for larger orgs.

See also notes available at Choosing between a GitHub App or a personal access token. This process needed to be run periodically and did not need to be tied to a user account but rather a GitHub App instance.

NOTE: Original PR was reviewed scottluskcis/gh-migration-audit#1, created another PR to have a squash commit and clean history.

Changes

  • add new auth.ts file that handles creating the configuration passed to creation of an Octokit instance
    update the options for the commands to optionally allow specification of the app-id, private-key, and app-installation-id
  • add tests for the auth.ts file added
  • add samples to the README for the new options and explanation in Authentication section
  • update octokit.ts to accept a string for token as it did before or an AuthConfig object, backwards compatible
    This pull request introduces significant changes to the authentication mechanism used in the repository audit tool. The most important changes include adding support for GitHub App installation authentication, updating the command options to accommodate the new authentication method, and refactoring the code to handle both token and installation authentication seamlessly.

Documentation
Updated README describing changes

Usage
New options displayed in --help, note addition of --app-installation-id, --app-id, and --private-key. Also note environment variable display for these and also for --access-token

Screenshot 2025-04-09 at 1 26 17 PM

Closes: #455

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add support to authenticate with octokit using GitHub App Installation
1 participant
@jcantosz